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Existing approaches to the synthesis of reactive systems typically involve the construction of transi- 
tion systems such as Mealy automata. However, in order to obtain a succinct representation of the 
desired system, structured programs can be a more suitable model. In 2011, Madhusudan proposed 
an algorithm to construct a structured reactive program for a given ©-regular specification without 
synthesizing a transition system first. His procedure is based on two-way alternating ©-automata on 
finite trees that recognize the set of "correct" programs. 

We present a more elementary and direct approach using only deterministic bottom-up tree au- 
tomata that compute so-called signatures for a given program. In doing so, we extend Madhusudan's 
results to the wider class of programs with bounded delay, which may read several input symbols 
before producing an output symbol (or vice versa). As a formal foundation, we inductively define a 
semantics for such programs. 



1 Introduction 

Algorithmic synthesis is a rapidly developing field with many application areas such as reactive sy terns, 
planning and economics. Most approaches to the synthesis of reactive systems, for instance ll2l IT2l ITT1 l8l . 
revolve around synthesizing transition systems such as Mealy or Moore automata. Unfortunately, the 
resulting transition systems can be very large. This has motivated the development of techniques for the 
reduction of their state space (for example, 0). Furthermore, the method of bounded synthesis lfl4l [4) 
can be used to synthesize minimal transition systems by iteratively increasing the bound on the size of 
the resulting system until a solution is found. However, it is not always possible to obtain small transition 
systems. For example, for certain specifications in linear temporal logic (LTL), the size of the smallest 
transition systems satisfying these specifications is doubly exponential in the length of the formula lfl3Tl . 

Aminof, Mogavero and Murano [lj provide a round-based algorithm to synthesize hierarchical tran- 
sition systems, which can be exponentially more succinct than corresponding "flat" transition systems. 
The desired system is constructed in a bottom-up manner: In each round, a specification is provided and 
the algorithm constructs a corresponding hierarchical transition system from a given library of available 
components and the hierarchical transition systems created in previous rounds. Thus, in order to ob- 
tain a small system in the last round, the specifications in the previous rounds have to be chosen in an 
appropriate way. 

Current techniques for the synthesis of (potentially) succinct implementations in the form of circuits 
or programs typically proceed in an indirect way, by converting a transition system into such an imple- 
mentation. For example, Bloem et al. first construct a symbolic representation (a binary decision 
diagram) of an appropriate transition system and then extract a corresponding circuit. However, this 
indirect approach does not necessarily yield a succinct result. 
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Madhusudan addresses this issue in ifTOl , where he proposes a procedure to synthesize programs 
without computing a transition system first. He considers structured reactive programs over a given 
set of Boolean variables, which can be significantly smaller (regarding the length of the program code) 
than equivalent transition systems. To some degree, these programs separate control flow from memory. 
Such a separation can also be found in a related approach that has recently been introduced by Gelderie 
|5], where strategies for infinite games are represented by strategy machines, which are equipped with 
control states and a memory tape. 

Given a finite set of Boolean variables and a nondeterministic Biichi automaton recognizing the 
complement of the specification, Madhusudan constructs a two-way alternating ft)-automaton on finite 
trees that recognizes the set of all programs over these variables that satisfy the specification. This 
automaton can be transformed into a nondeterministic tree automaton (NTA) to check for emptiness and 
extract a minimal program (regarding the height of the corresponding tree) from that set. In contrast to 
the transition systems constructed by classical synthesis algorithms, the synthesized program does not 
depend on the specific syntactic formulation of the specification, but only on its meaning. 

In this paper, we present a direct construction of a deterministic bottom-up tree automaton (DTA) 
recognizing the set of correct programs, without a detour via more intricate types of automata. The 
DTA inductively computes a representation of the behavior of a given program in the form of so-called 
signatures. A similar representation is used by Lustig and Vardi in their work on the synthesis of reactive 
systems from component libraries to characterize the behavior of the components. 

Our approach is not limited to programs that read input and write output in strict alternation, but 
extends Madhusudan's results to the more general class of programs with bounded delay: In general, a 
program may read multiple input symbols before writing the next output symbol, or vice versa, causing a 
delay between the input sequence and the output sequence. In a game-theoretic context, such a program 
corresponds to a strategy for a controller in a game against the environment where in each move the 
controller is allowed to either choose at least one output symbol or skip and wait for the next input (see 
0). We consider programs that never cause a delay greater than a given bound k 6 N. 

For a fixed k, the complexity of our construction matches that of Madhusudan's algorithm. In particu- 
lar, the size of the resulting DTA is exponential in the size of the given nondeterministic Biichi automaton 
recognizing the complement of the specification, and doubly exponential in the number of program vari- 
ables. In fact, we establish a lower bound, showing that the set of all programs over n Boolean variables 
that satisfy a given specification cannot even be recognized by an NTA with less than 2 2 " states, if any 
such programs exist. However, note that a DTA (or NTA) accepting precisely these programs enables us 
to extract a minimal program for the given specification and the given set of program variables. Hence, 
the synthesized program itself might be rather small. 

To lay a foundation for our study of the synthesis of structured reactive programs, we define a formal 
semantics for such programs, which is only informally indicated by Madhusudan. To that end, we 
introduce the concept of Input/Output/Internal machines (IOI machines), which are composable in the 
same way as structured programs. This allows for an inductive definition of the semantics. 



2 Syntax and Semantics of Structured Programs 

We consider a slight modification of the structured programming language defined in ifTUll . using only 
single Boolean values as input and output symbols to simplify notation. Expressions and programs over 
a finite set B of Boolean variables are defined by the following grammar, where b 6 B: 
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(expr) ::= true | false | b \ (expr) A {expr) \ (expr) V (expr) \ ~^{expr) 

{prog) ::= b := {expr) | input b | output b \ {prog) ; {prog) 

if {expr) then (prog) else {prog) | while {expr) do {prog) 

Intuitively, "input b" reads a Boolean value and stores it in the variable b. Conversely, "output b" 
writes the current value of b. To define a formal semantics we associate with each program a so-called 
IOI machine. An IOI machine is a transition system with designated entry and exit states. It can have 
input, output and internal transitions, with labels of the form (cii n ,s), (s,a out ) or (e,e), respectively, 
where a m ,a out SB = {0,1}. An IOI machine is equipped with a finite set B of Boolean variables, whose 
valuation is uniquely determined at each state. A valuation is a function a : B — > B that assigns a Boolean 
value to each variable. 

The associated IOI machine of an atomic program (i.e., an input statement, output statement or 
assignment) has one entry state and exit state for each possible variable valuation, and its transitions lead 
from entry states to exit states. For example, at each entry state of the associated IOI machine of an 
atomic program of the form "input b", there are two outgoing input transitions - one for each possible 
input symbol. The target of such an input transition is the exit state whose variable valuation is obtained 
by replacing the value of b with the respective input symbol. The IOI machine of a composite program 
can be constructed inductively from the IOI machines of its subprograms, leveraging their entry and exit 
states and the variable valuations of these states. 

A computation q of a program is a finite or infinite sequence of subsequent transitions of the corre- 
sponding IOI machine: 

(01,61) (02^2) («3 1*3) 
q = qi > q 2 > q 3 > ■ ■ ■ 

The label of q is the pair of finite or infinite words (aia 2 a 3 . . . , bib 2 b 3 . . .) € (B* UB ffl ) x (B* UB ffl ). 
An initial computation starts at the unique entry state where all variables have the value 0. The infinite 
behavior {{p)) of a program p is the set of infinite input/output sequences (a,j8) 6 B ffl x B ffl that can 
be produced by an initial computation of p. Furthermore, we call a program reactive if all its initial 
computations can be extended to infinite computations that yield an infinite input and output sequence. 

At any given time during a computation q as above, the length of the input sequence a\a 2 . ■ -a\ and the 
output sequence b\b%...b\ might differ. The supremum of these length differences along a computation 
is called the delay of the computation. If the delay of a computation does not exceed a given bound k G N 
then we call this computation k-bounded. A program is said to be ^-bounded if all its computations are k- 
bounded. By restricting the infinite behavior of a program p to labels of ^-bounded initial computations, 
we obtain the k-bounded infinite behavior {{p))k of p. 

3 Solving the Synthesis Problem Using Deterministic Tree Automata 

The synthesis problem for structured reactive programs with bounded delay can be formulated as follows: 
Given an ft)-regular specification R C (B xB) m representing the permissible input/output sequences, a 
finite set of Boolean variables B and a delay bound k 6 N, the task is to construct a structured reactive 
program p over B with ^-bounded delay such that {{p)) C R - or detect that no such program exists. 
(However, our results can easily be generalized to finite input and output alphabets other than B by 
allowing input and output statements that process multiple Boolean values as in iflOl .) In the following we 
assume that the specification R is provided in the form of a nondeterministic Biichi automaton (NBA) ^ 
over the alphabet B x B that recognizes the complement of the specification, i.e., Jzf (iSjj) = (B x M) C0 \R, 
which is always possible for w-regular specifications. 
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Our synthesis procedure is based on the fact that programs can be viewed as trees. Figure [T] shows 
an example for a tree representation of a program. We use deterministic bottom-up tree automata (DTAs, 
see, for example, |fl5l ) to recognize sets of programs. More specifically, we show the following theorem: 

Theorem 1. Let B be a finite set of Boolean variables, let k £ N and let stf^ be a nondeterministic Btichi 
automaton recognizing the complement of a specification i?C(Bx IB) 60 . We can construct a DTA that 
accepts a tree p iff p is a reactive program overB with k-bounded delay and ((p)) Q R, such that the size 
of this DTA is doubly exponential in \B\ and k and exponential in the size of s/ R . 



while true do { 
input b\ ; 

b 2 := b 2 Vbi; 
output b 2 

> 



Figure 1: Example: A program and its tree representation. 

An emptiness test on this DTA yields a solution to the synthesis problem. We obtain the desired tree 
automaton by intersecting three DTAs: The first DTA 3§ sat (B, k, £/ R ) recognizes the set of programs over 
B whose ^-bounded computations satisfy the specification R. That means, a program p is accepted iff 
({p))k Q R- The second DTA ^ rea ctive (B) recognizes the reactive programs over B. Finally, we use a 
third DTA ^deiay (B,k) to recognize the programs over B with ^-bounded delay. We only consider the 
construction of ^ sat (B,k,£/ R ) here, as the other two DTAs can be constructed in a very similar way. 

The DTA SS^{B,k,s^^) evaluates a given program p in a bottom-up manner, thereby assigning one 
of its states to each node of the program tree. The state reached at the root node must provide enough 
information to decide whether {{p))k C R, or equivalently, whether {{p))k H Jzf = 0- To that end, we 
are interested in the possible runs of on the input/output sequences generated by the program. Thus, 
we consider pairs of program computations and corresponding runs of which we call co-executions. 
Intuitively, ^ sat (B,k,£/ R ) inductively computes a representation of the possible co-executions of a given 
program and We define these representations, called co-execution signatures, in the following. 

The beginning and end of a co-execution can be indicated by a valuation of the program variables and 
a state of jz^. However, we have to consider the following: The input sequence of a computation might 
be longer or shorter than its output sequence, but a run of ^ only consumes input and output sequences 
of the same length. The suffix of the input/output sequence after the end of the shorter sequence, called 
the overhanging suffix, is hence still waiting to be consumed by g/g. Thus, we indicate the start and end 
of a co-execution by tuples of the form y = (a,s,u,v), called co-configurations, where a is a variable 
valuation, s is a state of and (u,v) G (B* x {e}) U ({e} x B*) is an overhanging suffix. Since we are 
only interested in ^-bounded computations, we only consider co-configurations with \u\ < k and |v| < k. 
The set of these co-configurations for a given set of variables B and a given NBA ^ is denoted by 
CoCfg k {B,^- R ). 

A finite co-execution is called complete if the program terminates at the end of the computation. The 
finite co-execution signature cosig bn (p,£/^,k) of a program p (with respect to g/g) is a relation consisting 
of tuples of the form (7,/, y') with / € B, which indicate that there exists a complete ^-bounded co- 
execution that starts with the co-configuration 7 and ends with y' such that the corresponding run of 
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&fg visits a final state iff / = 1. The infinite co-execution signature cosig 00 (p,£/j^,k) of p is a set of co- 
configurations with y G cosig°°(p,£/ft,k) iff there exists an infinite ^-bounded co-execution starting with 
y such that the run of ^ visits a final state infinitely often. We use pairs consisting of a finite and infinite 
co-execution signature as states of the DTA 3$ s&t (B,k,£/g). The size of the DTA is hence determined by 
the number of possible co-execution signatures, which is doubly exponential in the number of variables 
and k and exponential in the size of jz^. For a fixed k, this matches the complexity of Madhusudan's 
construction fTOl . 

If Ob is the initial variable valuation (where all variables have the value 0) and so is the initial state 
of then (oo,so,£,e) G cosig 00 (p,£/^,k) iff there is an initial ^-bounded computation of p such that 
some corresponding run of visits a final state infinitely often, so cosig 00 (p,£/jf,k) is indeed sufficient 
to decide whether {{p))k Q R- It remains to be shown that the co-execution signatures can be computed 
inductively. Exemplarily, we consider the case of programs of the form p = "while e do p{\ First, 
we construct a representation cosig* {p\ ,s>/g,k) of all finite sequences of consecutive co-executions of p\ 
that are compatible with the loop condition e. To that end, we consider only those tuples (/,/, /') in 
cosig fi - n (pi,£/g,k) where the variable valuation in y satisfies the loop condition e, and compute the re- 
flexive transitive closure of the resulting relation. Formally, we have cosig* (p\ ,£^,k) = closure(C) with 
C = { ((a,s,u,v),f,y r ) G cosig &n {p\,^,k) \ a G [e] }. Here, [e] denotes the set of variable valuations 
that satisfy e, and closure{C) is the smallest relation D C CoCfg k (B, s^£) xix CoCfg k (B, ^) such that 

• (y, 0, 7) G D for all 7 G CoCfg k (B, #f R ), and 

• irJuY') G D, (y'J 2 ,r") G Cimplies (y,max{/i,/ 2 } ,/') G D. 

Using cosig*(p\,£/ft,k), the co-execution signatures for p can be computed by the following reason- 
ing: A finite co-execution of p = "while e do pi" (and ^) can be decomposed into a finite sequence 
of co-executions of p\. An infinite co-execution of p can either eventually stay inside a loop iteration for- 
ever or traverse infinitely many iterations. It can therefore be decomposed either into a finite sequence of 
co-executions of p\ followed by an infinite co-execution of p\, or into a finite sequence of co-executions 
of p\ followed by a cycle of co-executions of p\, leading back to a previous co-configuration. Thus, we 
obtain the following formal representation of the co-execution signatures for p: 

• (y,f,(a',s',u',v')) ecosig &n ( P ,^ R ,k) iff (yj, (a' ,s' ,u' ,v')) G cosig* e ( Ph ^ s ,k) and a' i \e\. 

• 7 G cosig 00 (p, <&R,k) iff at least one of the following holds: 

- There exist y' = (a' ,s' ,u' ,v') G CoCfg k (B,s>/ R ) and / G B 

such that (7,/, y') G cosig* e (pi,£/ R ,k), a' G {ej and y' G cosig°°(p\,£^ R ,k). 

- There exist y' = (a', s',u',v') G CoCfg k {B,£/ n ) and / G B 

such that (y,/,y') £ cosig* e ( Pl ,£f n ,k), a' G [e] and (y',l,y') £ cosig*,(p { ,^ n ,k). 

4 Lower Bound for the Size of the Tree Automata 

We show the following lower bound for the size of any nondeterministic tree automaton (NTA) recog- 
nizing the desired set of programs: 

Theorem 2. Let B be a set ofn Boolean variables, let k G N and let R C (M>xM) m be a specification that 
is realizable by some program over B with k-bounded delay. Let ^ be an NTA that accepts a tree p iff p 
is a reactive program over B with k-bounded delay and ((/?}) C R. Then c € has at least 2 2 " states. 
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For a sketch of the proof, consider a set of Boolean variables B = {b\,. . . ,b n }. There are 2 2 " 
functions of the type IB" -1 — > B. Each of these functions can be implemented by a program that checks 
the values ofb\,..., b n -\ and sets b n to the corresponding function value. An NTA as in Theorem[2]must 
be able to distinguish all of these programs. Otherwise, let p, and pj be two such programs that cannot be 
distinguished by the NTA. We could then construct a program that satisfies the specification and contains 
Pi as a subprogram, but runs into a non-reactive infinite loop if this subprogram is replaced by pj. The 
NTA would accept both variants, including the non-reactive program, which contradicts the premise. 

5 Conclusion 

The contributions of this paper are threefold, advancing the study of structured reactive programs: We 
introduced a formal semantics for structured reactive programs in the sense of iTTOll . Furthermore, we 
presented a new synthesis algorithm for structured reactive programs with bounded delay, using the 
elementary concept of deterministic bottom-up tree automata. Finally, we showed a lower bound for the 
size of any nondeterministic tree automaton that recognizes the set of specification-compliant programs, 
emphasizing the importance of choosing a small yet still sufficient set of program variables. Estimating 
the number of Boolean variables that are needed to realize a given specification is a major open problem. 
While lTT3l implies an exponential upper bound for the required number of variables in the case of LTL 
specifications, a corresponding lower bound is still to be determined. 
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